cnvd - cnvd-2021-47648

cnvd-2021-47648

Vulnerability from cnvd

Title: Sylius未授权访问漏洞

Description:

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。

Sylius在1.9.5和1.10.0-RC之前的版本中存在安全漏洞，该漏洞源于在Sylius所下订单的部分细节(订单ID、订单号、商品总数和令牌值)暴露给未授权用户。攻击者可利用该漏洞获取一些额外的重要敏感信息。

Severity: 中

Patch Name: Sylius未授权访问漏洞的补丁

Patch Description:

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。

Sylius在1.9.5和1.10.0-RC之前的版本中存在安全漏洞，该漏洞源于在Sylius所下订单的部分细节(订单ID、订单号、商品总数和令牌值)暴露给未授权用户。攻击者可利用该漏洞获取一些额外的重要敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v

Reference: https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v

Impacted products

Name
['sylius Sylius <1.9.5', 'sylius Sylius <1.10.0-RC']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32720",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-32720"
    }
  },
  "description": "Sylius\u662f\u6ce2\u5170Sylius\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eSymfony\u6846\u67b6\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\n\nSylius\u57281.9.5\u548c1.10.0-RC\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728Sylius\u6240\u4e0b\u8ba2\u5355\u7684\u90e8\u5206\u7ec6\u8282(\u8ba2\u5355ID\u3001\u8ba2\u5355\u53f7\u3001\u5546\u54c1\u603b\u6570\u548c\u4ee4\u724c\u503c)\u66b4\u9732\u7ed9\u672a\u6388\u6743\u7528\u6237\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4e00\u4e9b\u989d\u5916\u7684\u91cd\u8981\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-47648",
  "openTime": "2021-07-06",
  "patchDescription": "Sylius\u662f\u6ce2\u5170Sylius\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eSymfony\u6846\u67b6\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\r\n\r\nSylius\u57281.9.5\u548c1.10.0-RC\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728Sylius\u6240\u4e0b\u8ba2\u5355\u7684\u90e8\u5206\u7ec6\u8282(\u8ba2\u5355ID\u3001\u8ba2\u5355\u53f7\u3001\u5546\u54c1\u603b\u6570\u548c\u4ee4\u724c\u503c)\u66b4\u9732\u7ed9\u672a\u6388\u6743\u7528\u6237\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4e00\u4e9b\u989d\u5916\u7684\u91cd\u8981\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sylius\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "sylius Sylius \u003c1.9.5",
      "sylius Sylius \u003c1.10.0-RC"
    ]
  },
  "referenceLink": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-29",
  "title": "Sylius\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e"
}

CVE-2021-32720 (GCVE-0-2021-32720)

Vulnerability from cvelistv5

Published

2021-06-28 18:45

Modified

2024-08-03 23:25

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension` and throw `Symfony\Component\Security\Core\Exception\AccessDeniedException` if the class is executed for unauthorized user.

References

▼	URL	Tags
	https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v	x_refsource_CONFIRM
	https://github.com/Sylius/Sylius/releases/tag/v1.9.5	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Sylius	Sylius	Version: >= 1.9.0, < 1.9.5 Version: >= 1.10.0-ALPHA.1, <= 1.10.0-BETA.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:31.162Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sylius",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.9.0, \u003c 1.9.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.10.0-ALPHA.1, \u003c= 1.10.0-BETA.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-28T18:45:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
        }
      ],
      "source": {
        "advisory": "GHSA-rpxh-vg2x-526v",
        "discovery": "UNKNOWN"
      },
      "title": "List of order ids, number, items total and token value exposed for unauthorized uses via new API",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32720",
          "STATE": "PUBLIC",
          "TITLE": "List of order ids, number, items total and token value exposed for unauthorized uses via new API"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Sylius",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.9.0, \u003c 1.9.5"
                          },
                          {
                            "version_value": "\u003e= 1.10.0-ALPHA.1, \u003c= 1.10.0-BETA.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Sylius"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v",
              "refsource": "CONFIRM",
              "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-rpxh-vg2x-526v",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32720",
    "datePublished": "2021-06-28T18:45:11",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:25:31.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted